Disabling DES and 3DES Ciphers on the Hue Web Server

0 votes
30 views
asked Aug 19, 2017 in Hadoop by admin (4,410 points)
SummarySecurity audits can flag the Hue Web Server as being "vulnerable" due to having the DES and 3DES ciphers available. This article detail how to disable these ciphers in the Hue web server configuration.
Symptoms

The HUE web server has DES and 3DES ciphers enabled on the web server.
A vulnerability validation has marked this as vulnerable and needs to be disabled.

Applies To
  • Hue web server
  • SSL/TLS
  • Ciphers
  • DES
  • 3DES
Cause
Instructions
Use the following steps to disable the DES and 3DES ciphers in the Hue web server configuration.
  1. Go to the Cloudera Manager UI and navigate to, Hue > Configuration > "Hue Service Advanced Configuration Snippet (Safety Valve) for hue_safety_valve.ini"
  2. Add the following property using the available ciphers (listed below) and include either "-DES:-3DES" (to remove the ciphers from the list) or to permanently remove them use, "!DES:!3DES"
     
    [desktop] 
    ssl_cipher_list=<CIPHER_LIST>
    
    List of Ciphers
    ssl_cipher_list=ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS:!DH:!ADH
    For example, to permanently disable the DES and 3DES ciphers, the end of the cipher list would look like the following:
    ...:DES-CBC3-SHA:!DSS:!DH:!ADH:!DES:!3DES
    For more information on the cipher list format and syntax see the following web page: https://www.openssl.org/docs/man1.0.2/apps/ciphers.html
 
  • Restart the Hue service.

Please log in or register to answer this question.

...